Do AI chatbots tell the truth?
I performed a little experiment using Google Gemini 2.5 Flash that demonstrated just how poorly chatbots can perform when asked for facts—and when asked why their “facts” are fiction.
Karen Scarfone's Publications and Blog
Welcome! This site has links to my online publications and blog posts. Sign up to get a weekly email update when I release a new pub or blog post.
Welcome to the Trusted Cyber Annex
Trusted Cyber Annex gives you honest, high-integrity cybersecurity guidance for free.
What is the Future of Cybersecurity?
As cyberthreats grow more sophisticated, enterprises face mounting challenges. What does the future of cybersecurity hold, and how can organizations stay ahead?
How to Build a Cybersecurity Strategy and Plan in 4 Steps
Planning a cybersecurity strategy for your organization takes effort, but it could mean the difference between surpassing your competitors and going out of business. Here are the basic steps to follow in developing an effective security strategy.
Cybersecurity Skills Gap: Why It Exists and How to Address It
Bridging this vast gap requires an understanding of why the cybersecurity skills shortage persists. This article explores the conundrum and proposes several ways that IT leaders and their organizations can address the underlying problems.
12 Smart Contract Vulnerabilities and How to Mitigate Them
When deploying a smart contract written in Solidity on the popular smart contract platform Ethereum, development teams need to be especially aware of the following attack vectors and how to eliminate them.
Cybersecurity Governance: A Guide for Businesses to Follow
Cybersecurity governance is now critical, with NIST CSF 2.0 recently adding it as a dedicated function. Learn why governance is core to an effective cyber strategy.
Multifactor Authentication: 5 Examples and Strategic Use Cases
Let's assess MFA and its role today by examining examples of authentication factors, business MFA use cases and best practices for every organization to follow.
SentinelOne vs. CrowdStrike: EPP Tools for the Enterprise
Two popular EPP options today are the SentinelOne Singularity Platform and CrowdStrike Falcon. Read further to compare the two EPPs' key features, pricing models and performance.
5G Network Security Design Principles
This publication provides the network infrastructure security design principles that commercial and private 5G network operators are encouraged to use. Such a network infrastructure isolates types of 5G network traffic from each other — data plane, signaling, and operation and maintenance (O&M) traffic — to improve cybersecurity and privacy. These security principles were demonstrated on the NCCoE 5G security testbed.
3 Top Multifactor Authentication Tool Providers in 2025
Learn about three top MFA providers: Cisco, Okta and Ping Identity. Also, get advice on how to choose the best MFA tool for your organization.
Implementing a Zero Trust Architecture
This publication outlines results and best practices from the NCCoE effort featuring work with 24 vendors to demonstrate end-to-end Zero Trust Architectures.
GenAI Use and Misuse
GenAI is a tool, not a solution. It doesn't have magic powers to think for you.
Account Lockout Policy: Setup and Best Practices Explained
Let's look at the main elements of an account lockout policy and review best practices for creating and implementing effective account lockout policies for your organization.
What is Crypto Ransomware? How Cryptocurrency Aids Attackers
Crypto ransomware is a form of ransomware that uses cryptography to encrypt computer files so that the victim cannot access them. In exchange for the demanded ransom, the attacker claims it will tell the victimized business how to regain access to the stolen data.
Debunking Myths About Data Breach Disclosures in Higher Ed
Every university must be prepared to quickly detect and handle its data breaches, and that includes disclosing breaches of sensitive student data to the appropriate parties in a timely manner. Here are some facts and fallacies about disclosing data breaches at universities.
Microsoft Supports Solutions to Help Feds Police Their AI Work
Let’s take a closer look at several Microsoft tools that could help federal agencies secure their AI environments and AI use.
Towards Automating IoT Security: Implementing Trusted Network-Layer Onboarding
This document provides an overview of trusted IoT device network-layer onboarding, a capability for securely providing IoT devices with their local network credentials in a manner that helps to ensure that the network is not put at risk as new IoT devices are connected to it— enhancing network security and management.
Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile
SP 800-61 Revision 3 seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities as described by the NIST Cybersecurity Framework (CSF) 2.0.
5G Cybersecurity (Executive Summary)
As the first volume of the practice guide, this document summarizes the most significant cybersecurity and privacy recommendations identified thus far from our research on this project. For more information, project goals and implementation details are being documented in a second NIST Cybersecurity Practice Guide Volume B. In addition, detailed information on 5G cybersecurity and privacy capabilities is also being published as part of a white paper series.
MFA for Criminal Justice Information Systems
Criminal and non-criminal justice agencies in the U.S. require the use of multi-factor authentication (MFA) to protect access to criminal justice information (CJI). This document provides a general overview of MFA, outlines design principles and architecture considerations for implementing MFA to protect CJI, and offers specific examples of use cases that agencies face today.
CSF Profile for Semiconductor Manufacturing
This draft Profile provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to semiconductor manufacturing systems.
Integrating Cybersecurity and Enterprise Risk Management (ERM)
This document is intended to help individual organizations within an enterprise improve their cybersecurity risk information, which they provide as inputs to their enterprise’s ERM processes through communications and risk information sharing.
The ends do not justify the means
Do something to help our federal employees.
Load More